Description

CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files to your users. Through a worldwide network of data centers, It delivers your content. This network of data centers is called edge locations.

Geo-restrictions also known as geo-blocking, when the organization does not want to access any application or content for particular geographical locations, Organization needs to prevent users in specific geographic locations from accessing content. 

Here we ensure that CloudFront geo restriction feature. which use to restrict access at the country level. 


Rationale: 

Enabling this CloudFront geo-restriction for any particular country means it prevents users in specific countries from accessing your content. It should be enabled to allow access only from users in the whitelisted country or if the organization cannot distribute content in a particular country, It should deny access from users in the blacklisted country.


Impact:

  •  It allows only those users who belong to one of the countries on a whitelist of approved countries.

  •  If someone tries to access your content from one of the countries on a blacklist of banned countries it prevents those users

  •  It gives you the ability to block IP addresses based on Geo IP.

  •  If you enable it to secure your system or prevent DDoS attacks.


Default Value:

By default in the AWS account, no Distribution was created.

If you already created Distribution in CloudFront in this Distribution by default Geo Restrictions is disabled.


Audit:

Step 1: Login AWS account and go to CloudFront  console https://console.aws.amazon.com/cloudfront

Step 2: Click Distributions in the left navigation pane

Step 3: You can see if the distribution is created or not If any active distribution is available in your account then click the Viewing dropdown menu and select the Web option

Step 4: Select the CDN distribution that you want to examine and click on the Distribution Settings button

Step 5: Click on the Restriction tab and check the status of Geo Restriction

Note: If the status is Disabled for the selected CloudFront distribution,  the distribution configuration is not compliant.

→ Repeat all the above steps to verify the geo-restriction feature for other Amazon CloudFront CDN distributions


Via CLI:

Step 1: To list CloudFront distributions

aws cloudfront list-distributions

Step 2: Get the information about the distribution

aws cloudfront get-distribution --id <distribuiton_id>


Step 3: Get the configuration information about the distribution

aws cloudfront get-distribution-config --id <distribution_id>


Remediation:

Pre-Requisite:

  • Your account should contain at least one CloudFront Distribution

  • After auditing, if you notice Geo Restriction is not enabled, follow the implementation steps to enable


Implementation Steps:

Step 1: Login AWS account and go to CloudFront  console https://console.aws.amazon.com/cloudfront

Step 2: Click Distributions in the left navigation pane

Step 3: Select the distribution that you want to update and then click on the Distribution Settings button

Step 4:  In the Distribution Setting pane, click on the Restrictions tabs

Step 5: Select Geo Restriction and click on the Edit button

Step 6: Click on the Yes radio button then you see Restriction Type  in the restriction type it contains Whitelist and Blacklist below this Countries list select any country for whitelist or blacklist and click on Add >> button you can remove the country from the list by clicking on << Remove button 

Note: If you select restriction type to Whitelist then add countries into the list which you want to enable, for disable remove from the list. If you select restriction type to Blacklist, add countries that you don’t want to allow.

Step7:As per your choice done the whitelisting or blacklisting the country list then click on the Yes, Edit button


Backout Plan:

Remove the added country from the whitelist:

Step 1: Login AWS account and go to CloudFront  console https://console.aws.amazon.com/cloudfront

Step 2: Select the distribution that you want to update and then click on the Distribution Settings button 

Step 3:  In the Distribution Setting pane, click on the Restrictions tabs

Step 4: Select Geo Restriction and click on the Edit button 

Step 5: Select the country which you want to remove from the whitelist and click on the Remove button

Step 6: After removing the country from your whitelist click on the Yes, Edit button

Note: Similarly if you want to remove countries from the blacklist follow the same steps.


If you want to remove the Distribution then follow the below steps:

Step 1: Select the distribution and click on disable button

Step 2: Click on the Yes, Disable button 

Step 3: And click on the Delete button

→ Click on the Yes, Delete button


Via CLI:To delete a Cloudfront distribution